Chafea/2018/Health/03 Y) 
Specific Contract No 2019 70 01 a aM wedte twine e 


Ministry of Health, Welfare and Sport 
Experts’ Workshop assessing the Member States’ 


rules on health data in the light of GDPR 2019/2020 infeurope BR RC SI 


AMPE OLINDA 


Guiding questions 


Experts’ Workshop assessing the Member States’ rules on health data 
in the light of GDPR, 16 March 2020 


General DIGITALEUROPE statement 


We urge the EU to lift barriers on the cross-border flow of health data and harmonise health data- 
processing conditions across Europe. 


Regulatory divergences exist as the GDPR allows Member States to maintain or introduce further 
conditions, including limitations, on the processing of genetic or health data. EU policy-makers 
should explore legislative actions to guarantee a harmonised framework of data-processing rules for 
both primary and secondary use of health data. Tackling this fragmentation is critical to create a 
common European health data space. We ask Members States to create a one-stop shop to 
facilitate the secondary use of data for research in accordance to national rules, EDPB guidance on 
GDPR interpretation by national DPAs and an EU Code of Conduct on health data-processing. 
Important actions must be defined to leverage the potential of data to find solutions for cross- 
border health threats more quickly. 


a. 10:45 — 12:00 CET: Session 2: Primary use of health data 


1. GDPR provides several legal bases for processing health data. 


- How common is consent as the main legal base for processing health data for the 
primary purpose of providing care to patients? 

- How commonly is consent used as the legal basis for sharing data between healthcare 
providers? 

- Do problems arise when different legal bases are used by different providers both within 
one and across two or more MS? 

- What could be done to address this, should anything be done at EU Level? 


On the use of consent as main legal basis 

Consent is not commonly used for the processing of health data. However, in some cases, 
consent may currently be used when personal data may need to be disclosed to other parties 
associated with the treatment. Examples of the latter cases include custom implants, CAR-T 
(personalized medicine), health apps. 
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We also underline there is legal fragmentation across the EU onthe application and interpretation 
of consent. 


On problems arising from the use of different legal bases 

There is a lack of clarity which needs to be addressed. Guidance from regulators is needed on the 
applicable “rules of the road” for processing of health data. But at the same time, there is also a need 
for more public discussion so that patients better understand how, when and why their data will be 
used. To succeed, any effort to develop and implement new regulatory frameworks for research and 
secondary uses must go hand-in-hand with further clarification and explanation of — and enhanced 
trust in — those frameworks. 


Additionally, we would like to address the need for a wider, ethics-based discussion about new models 
for the use of health data — and for potentially supporting research projects that consider broadened 
concepts of “consent,” as well as ideas around “data donation.” Any such discussions will need to 
explore how these models can achieve the benefits of improved health outcomes through use of 
patient data, but also must be sensitive to the limitations on the use of such data to minimize risks to 
patients. 


2.  GDPR creates a right to access data about oneself, ask for corrections of inaccuracies are 
found and in some cases to have a portable version to the information to share with others, in 
some countries this is supported through ‘Personal Health Spaces’ 

- Whatis your experience of access to health information? 

- What needs to be done to facilitate patients’ access and control of records between 


healthcare providers? 
- What could be done to address this, should anything be done at EU Level? 


We support the GDPR ambition to create a user-centric data protection regime. 


We also point out there is fragmentation in the application of the right of access for data subjects in 
the GDPR. The Commission should take stock of these differences. It should build on its 
Recommendation on an Electronic Health Record Exchange Format and identify what constitutes a 
commonly used electronic form across the EU and the timeline to make data available to the data 
subject. 


3. EHRs area key tool for health data collection, but its not always easy for the data in EHRs to 
be shared 


e Whatis your experience of the use of standards on interoperability within national or 
regional EHR procurement strategies? 
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e Whatis your experience of a central body at matinal or regional been established 
which controls governance of health data? 


Fast Healthcare Interoperability Resources (FHIR) is a standard describing data formats and elements 
and an application programming interface for exchanging electronic health records. It is largely 
leveraged in the US. 


The EU should step up efforts in terms of interoperability of health data through the application of 
the Electronic Health Record Exchange Format. This should be accompanied by the deployment of 
necessary resources for digital health infrastructures, both at national and EU level (e.g. national 
digital platforms and the eHealth Digital Service Infrastructure). 


More is elaborated below in Section b.3 as the issues addressed are similar. 


4. Some types of data are especially sensitive, e.g. genetic data, should there be special 
measure to address the processing and sharing such data? 


Article 9 para. 4 of the GDPR allows Member States to maintain or introduce further conditions, 
including limitations, with regard to the processing of genetic data or data concerning health. This 
has resulted in Member States adopting different approaches to the processing of such data, making 
it difficult to access data and electronic health records from various institutions. This has led to legal 
fragmentation and different interpretations across Member States. EU guidelines, a Code of Conduct 
or building up interdisciplinary teams and fostering dialogue between stakeholders could be a way 
to mitigate this. These tools or initiatives should clarify, for instance, whether genetic data collected 
as part of clinical care should be treated differently than when collected in research. 


5. Digital health, including use of apps and wearable devices are used more and more 


- What is your experience of data from apps to be integrated into EHRs? 
- Whatis your experience of patients’ have access to data from wearable or implanted 
devices? 


Data from apps are not commonly integrated into EHRs in the EU. There are useful examples from 
other jurisdictions to look at. In the US, FHIR, which is part of the Health Level 7 (HL7) ANSI standard 
for electronic health information, is connecting apps with health systems. More should be done to 
leverage existing international standards. 
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b. 13:30 — 15:00 CET: Session 3: Secondary use for research 


1. Sharing data for research can be permitted through the explicit consent of the patient or 
through special research platforms (like FinData) or through access granted by research ethics 
Committees. 

- What is your experience of the different routes to making data available for research 

- In how far is consent useful? 

- do different legal bases and organisational approaches cause problems? 

- Could EU level action address any of these issues? 

- Have you experienced different rules depending on the legal nature of the researcher - 
e.g. the physician caring for the patient or someone working within the same healthcare 
provider setting, researcher in a publicly funded organisation such as a university of 
public research institute, a private sector researcher 

- Is research by a physician working int eh same health care organisation as treats that 
patient treated differently? 

- Is there any difference in the way the pharmaceutical and medical technology industries 
are treated as compared to consumer electronics companies or insurers? 

- Would EU level guidance on this matter be useful? 


We urge the EU to lift barriers on the cross-border flow of health data and harmonise health data- 
processing conditions across Europe. 


Regulatory divergences exist as the GDPR allows Member States to maintain or introduce further 
conditions, including limitations, on the processing of genetic or health data. EU policy-makers 
should explore legislative actions to guarantee a harmonised framework of data-processing rules, 
including for the secondary use of health data. Tackling this fragmentation is critical to create a 
common European health data space. 


About consent as the legal basis and legacy data issues 


Consent can have downsides for medical research today primarily due to issues of legacy data. When 
a research proposal is generated, it may not be possible to reach back the patients for a number of 
reasons (patient death, lack of direct communication line with the patient, etc.). Some Member 
States (e.g. Germany) are very focused on consent for data processing. This hinders the secondary 
use of data especially in the health sector. 


Consent plays an important role but is neither the only nor the default legal ground. It should hence 
not be emphasised as the primary legal basis for processing, nor should the other legal bases be 
interpreted and applied as exceptions or in an unreasonably narrow way. There a few promising 
developments in this respect. Ireland, for example, has adopted specialised regulations on health 
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research, which include a broad definition of what activities falls into that category, and which 
impose a range of safeguards on health data-processing, including prior approvals by research ethics 
committees and compulsory data protection training for researchers. Similarly, German law allows 
for the use of health data without consent for scientific research, following a balancing of interest 
test and subject to safeguards, such as encryption, training, and the appointment of a Data 
Protection Officer. In Belgium, the national law was updated to lift (subject to safeguards) certain 
rights of individuals in their personal data in order to better balance the interests of individuals with 
the specific needs of scientific research. 


Yet, ultimately we need more action at national level to improve the framework for secondary use of 
health data to promote public health. Generally speaking, conditions on the processing of personal 
data for scientific research purposes are far too divergent across Member States. We urge more 
alignment. Harmonising best practices at EU level will benefit the European research community, 
especially in light of the upcoming Common European Health Data Space. 


Importantly, as consent under GDPR should ideally be specific, there is a preference to rely on other 
legal grounds such as public or legitimate interest. This approach seems also to reflect the position 
of the European Data Protection Board (Opinion 3/2019). 


More clarity and uniformity is nevertheless needed on the concept of legitimate interest. A good 
example is the Finnish Act on the secondary use of health data for research, where data requests are 
handled by a centralised data permit authority. 


A Code of Conduct as the way forward 


We stand for the creation of a Code of Conduct defining a model where “consent” (if required) 
would rather be an additional “ethical” safeguard than a legal basis for the processing. There could 
be different options to ensure patient control on how the data is used in such model. These aspects 
would be spelled out in the Code of Conduct. Examples of possible options are: 

1. Each citizen should be allowed to provide a one-off permission to allow his/her data 
to be used for general health research governed by an ethical and security framework 
detailed in the Code of Conduct. This option could work in practice, but would entail 
limited possibilities to use legacy data. 

2. Health data is allowed to be processed for health research governed by an ethical and 
security framework detailed in the Code of Conduct, provided the citizen does not use 
their right to opt-out / object to such processing. This option may also allow to use 
legacy data, under the conditions defined in the Code of Conduct. 
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About the legal nature of the researcher 


Generally, the rules concerning any further use of health data for research purposes are 
currently fragmented and unclear, in particular for collaborative research activities. For 
example, healthcare providers may be hesitant to explore possibilities of sharing data with 
private companies. This is often due to legal uncertainty and lack of clear interpretations. In 
addition, private companies may struggle to see how they can contribute with data (e.g. data 
collected in clinical research) to government funded research such as public-private 
collaborative initiatives under IMI. A Code of Conduct may give additional certainty. 


Since research is often done in a collaboration between public institutions and private 
companies, a Code of Conduct, or other legal instruments, should be applicable to publicly 
funded organisations as well as private companies. A Code of Conduct should also allow both 
private parties and public research institutes to share and use health data for research 
purposes, either separately or in collaboration, and under the conditions outlined in such a 
Code. 


We also point out a Code of Conduct would help to address legal fragmentation when it 
comes to processing of data for scientific research. In some Member States, consent should be 
obtained and becomes the legal basis instead of the derogation for scientific research which is 
applied in other Member States. This is very challenging for businesses operating in these 
different Member States (Art. 89.2 of the GDPR). 


Finally, a Code of Conduct could give guidance on what level of de-identification and 
anonymisation is appropriate under which circumstances. 


2. What is your experience of patients/ citizens being informed about data used for research? 
- Do you know of any measures that have been adopted to inform patients about the value 
of health data being used for research? 
- Is EU level action needed on this issue? 


Trust is important. We believe there is a need to establish common models on how patients 
can be reasonably informed about how data is used for research. 


Patients should indeed be made aware of how health data can drive innovation in health care, 
as well as of the governance and safeguards that would apply to any further use of health data 
for research purposes. Equally, they should be informed that research today often happens in 

a public-private collaboration. Without generally recognised governance models (like through 

a Code of Conduct), and interpretations that clearly enable the use of data for research 
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purposes, it may be difficult to gain the necessary trust to unlock data-driven innovation 
possibilities. 

The EU could step up efforts to earn patient trust, educate EU citizens and make them aware 
of the benefits that sharing their data can bring to their lives and health. 


The concepts of ‘data donation’ or ‘data altruism’ could be further explored. 


Data Saves Lives is an example of initiatives to leverage. It is a multi-stakeholder initiative 
aiming to raise wider patient and public awareness about the importance of health data. It 
helps to improve understanding of how data is used and establish a trusted environment for 
multi-stakeholder dialogue about responsible use and good practices across Europe. 


3. Data used for research may be in many different formats and form many different sources 
- how well do you think issues of data interoperability are being addressed in your MS, 
have you experienced any issue with data interoperability between different data 
sources? 
- Would EU level action be helpful on this issue? 


About data interoperability issues 


The main challenge to the use of patient data are caused by the data being siloed in many different 
places. While technical interoperability challenges related to moving data between different EHRs 
are usually one of the most frequently cited causes of these data silos, there is also a range of 
other semantic and organizational barriers and blockers that we must address. This is key to 
capitalise on the full potential of applying modern technologies to patient health data. 


Examples of data silos include data from a single patient scattered across different healthcare 
providers that have treated that patient, data developed in large clinical research datasets outside 
traditional provider relationships with patients and, increasingly, data developed by patients 
themselves as they leverage new technologies to collect their own data or record information 
about outcomes (Patient Reported Outcome Measures or PROMS, as this data is known). These 
datasets are often in different computer systems in unique technical formats, collected for 
different purposes and thus semantically divergent and nominally controlled by entities in 
different places in the healthcare continuum (often entities with potentially divergent interests). 
At a foundational technical level, there have indeed been technical interoperability challenges to 
aggregating and leveraging the data of an individual patient. 
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About action at EU level 


Market-driven, consensus-based standards are critical for data-driven healthcare and 
technologies. They allow us to overcome data interoperability obstacles and support effective 
data exchange. Healthcare developers are tasked with the challenge of bringing diverse datasets 
together and developing machine learning across those datasets. 


We believe the best way to support developers working with health data is to offer tools that 
allow them to come together — for collaboration, creation, sharing, and building on each other’s 
work. Significant progress is being made on this front in the form of a new consensus-based global 
standard named the Fast Healthcare Interoperability Resources (referred to as FHIR and 
pronounced «fire»). This important standard describes data formats and an application 
programming interface (API) for exchanging electronic health records. Importantly, a range of 
large EMR vendors and others in the technical community, including all major cloud computing 
vendors, have embraced FHIR. 


4. Do you find that the principles of FAIR data (findable, accessible, interoperable and re- 
usable) are being addressed in your Member State through any form of legislation of other 
concrete measures? 

- | Would EU level action be helpful on this issue? 


There needs to be a clear and coherent legal framework to encourage access to and sharing of 
healthcare data while protecting privacy of personal data. This includes: 


e Interoperability measures to support data linkage: 

o Encourage the adoption of standards for healthcare data and open exchange 
formats for Electronic Health Records 

o Extend the European Health Digital Service Infrastructure (eHDSI) to facilitate health 
data exchange of medical images, laboratory results and discharge 
reports as announced in the European Commission’s Data Strategy, and seek to 
include full EHR later on. 

o Develop guidelines for open healthcare data exchange formats beyond EHRs, 
including research, clinical data, longitudinal data (full historic medical records), as 
well as data generated by wearable and implanted devices or apps. 

o Scale up existing Innovative Medicines Initiative (IMI) projects focused on the 
secondary use of data, such as EHDEN. 


e Regulatory sandboxing to create federated networks of health research data centres to: 


o foster the uptake of federated data models and facilitate interoperability and 
connectivity while respecting GDPR requirements. Such federated networks have 
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the potential to unlock the barriers to accessing healthcare data and, in turn, 
facilitate learning healthcare systems. 


e Invest in enabling digital infrastructure. Critical infrastructures throughout the healthcare 
value chain need resources to meet Europe’s objective to achieve sustainable and high- 
quality healthcare. In particular, the EU should: 

O Support Member States’ efforts to establish robust infrastructure to access and 
share their health data while respecting citizens’ rights, sharing best practices, and 
building on successful examples from countries such as Finland (Findata) and Estonia 
(X-Road), and the recent Health Data Hub initiative supported by President Macron 
in France. 

o Ensure an adequate level of investment under the next Multiannual Financial 
Framework through spending programmes such as the Digital Europe Programme 

o Promote the development of “hospitals of the future”: Hospitals could become 
digital innovation hubs making use of new technologies (such as Al) to improve the 
value and standards of care across the board. 

o Facilitate the provision of community-based care to reflect and incentivise new 
models of healthcare delivery 

O Support patients to be treated remotely (e.g. telemedicine, polyclinics) through 
modernised regulatory and reimbursement models, as well as awareness and 
educational training. 


e Fund infrastructure to advance diagnostics such as next-generation genome sequencing, 
building on initiatives like the European 1+ million genome project. 


5. What is your experience of research platforms/ governance structures to facilitate access to 
data for research? 
- Do you have experience of such systems? 
- Should such platforms be purely public, public-private-partnership or other structure? 
- Are national level governance structures appropriate for cross-border research? 


A strong governance structure is needed, e.g. Findata 


Federated data models that provide only aggregaged research results to any central databased 
and keep any personal data at the source (e.g. the hospital) can unlock the barriers to 
accessing healthcare data. This, in turn, would facilitate learning healthcare systems (such as 
IMI EHDEN). 


6 . Some countries have adopted systems to drive health data altruism to allow patients to share 
data for research. 
- Do you have experience of such systems? 
- Should such platforms be purely public, public-private-partnership or other structure? 
- Are national level governance structures appropriate for cross-border research 
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The concepts of ‘data altruism’ could be further explored. 


It is crucial that governance models (like those defined in a Code of Conduct) provide 
possibilities to create different types of structures. This is important considering how many 
reseach initiatives happen in public-private partnerships and other related schemes. 


7. Could EU level action support such systems? 
- Could a code of conduct or other EU level measures on secondary use of data for 
research purpose at EU level be helpful, and if so, what should be their scope? 
- |s there a place for EU level infrastructure or platform to facilitate data sharing for 
planning and pharmacovigilance research? 


There is legal fragmentation across the EU when it comes to the secondary use of data. 

EU guidelines or a Code of Conduct could indeed drive the necessary harmonisation and 
enable research for the benefit of patients. They would ensure necessary governance and the 
consistent application of ethical principles and appropriate safeguards. 


c. 15:30 — 16:30 CET: Session 4: Secondary use for wider purposes 


1. Health data are needed for the planning, management, administration and improvement of 
the health and care systems 
- Whatis your have experience of any special rules to allow data collected for care 
purposes to be used in this way? 
- Would EU level action on this issue be useful? 


2. Regulators are looking at new sources of data to be used in the context of market approval of 
medical device and medicines, medical device monitoring and pharmacovigilance. 
- Do you feel health systems are ready to move to the next stage in using such data? 
- What issues have you experienced in this respect? 
- Would EU level action on this issue be useful? 


No, the health systems are not currently ready. There are today differences on the 
interpretation of the legal basis of the processing as well as the recognition of what safeguards 
should be applied. Even if the GDPR provides possibilities to rely on legal grounds other than 
consent, the latter is in some Member States recognized as required. 


For example, a research initiative that may be possible in one Member State and that relies on 
public/legitimate interest together with Article 9.2.j of the GDPR, may well not be possible in 
another country. That is because the latter country has consent-based requirements. 

The current situation, with the level of fragmentation that exists, also makes it difficult for 
healthcare companies to further use data for research purposes. It also provides limitations and 
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challenges for these companies to, say, share in important government-funded research 
initiatives the data they collected in clinical research. IMI are one such example. 


In general, it is important to get clarity on the possibility to rely on public or legitimate interest 
coupled with Article 9.2.j of the GDPR. We also need clarity on the associated safeguards to be 
applied. Together with that, there is a need to develop ethical principles in the treatment of 
personal healthcare data. It is crucial to have legal certainty for the sake of consistency and to 
unlock data use potential. 


Appropriate safeguards may include: 


e Scientific oversight intended to ensure the validity of research projects 

e Measures of de-identification or pseudonymization 

e Security measures 

e Good Clinical Practice (GCP) standards 

e Contractual measures prohibiting attempts to re-identify 

e Data minimisation 

e Data protection policies in place (and overseen) in the organisations processing the data, 
including Data Privacy Impact Assessments (DPIAs) 

e Professional standards (such as secrecy obligations) 


A Code of Conduct could offer a few potential solutions to provide increased certainty and 
enable the use of new sources for research purposes. These include: 


1) Recognize the possibility to use a “relative” anonymization model. This would provide 
traceability back to the source records without providing a risk for subject identification by 
the parties involved in the specific context. Policy and contractual requirements, as well as 
security measures applied, would all be considered. Defining necessary standards and 
required governance are key to enable this “relative” anonymization model. Its benefits 
would lie in enabling research by facilitating different data-sharing settings: from institutions 
to researchers, between pharmaceutical companies (e.g. to limit the need for a placebo / 
standard-of-care arm in a clinical trial) as well as from pharmaceutical companies to 
government-funded research initiatives. 

2) The possibility of an “opt-out” model to apply whenever relative anonymization may not 
satisfy the needs. While guaranteeing limited risks to individuals thanks to high levels of 
governance and standards, this option would make possible for individuals to request their 
data not be used. This model is particularly fit for research fields where the nature of 
activities conducted gives a higher-risk of re-identification than usual, and where further de- 
identification may impact on the ability to conduct the research. Examples in this respect are 
rare diseases, genetic research and research for personalised medicines. 

3) The possibility, alternative to n.2, of an “opt-in” model where a patient may “opt-in” to take 
part in health-related research governed by a dynamic framework, that is to say, a 
framework that may change over time due to new research areas identified. The downside 
of this model lies in being unsuitable to any use of “legacy data”. Even in this model, it may 
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be difficult to rely on consent as the legal basis, as it may not meet one key criteria for a 
valid consent under GDPR, i.e. that of consent to be ”specific”. 


For all these scenarios, there would likely be a need to be able to rely on public interest or 
legitimate interest coupled with Article 9.2.) of the GDPR. This would allow that the necessary 
evidence required by health authorities (depending on the nature of the research) is retained 
even in case of opt-outs / consent withdrawals. 


3. Health data are also an important aspect of developing systems for protection against serious 
cross-border threats to health 
- Have you experienced any difficulties in data being used in this way? 
- Would EU level action on this issue be useful? 


The GDPR provides for a public health exception to the authority to process personal data 
concerning health. In such a case, informed consent by the data subject to the exchange of their 
personal (health) data with one or more Member States is not necessary, and it is up to the 
individual Member State to carefully review the extent to which the protection of individual 
rights is outweighed by the necessity to protect the common good. However, this framework has 
created considerable hurdles for companies operating cross-border research, led to 
fragmentation and brought additional cost for compliance. Importantly, the most costly impact 
is that potential benefits for diagnosis, treatment and care are delayed or put out of reach. 


For all these scenarios, also in light of COVID-19, it would be beneficial for all actors to have a 
more supranational EU approach to regulate risks of “serious cross-border threats to health” 
such as pandemic disease outbreaks, including for research purposes. 


4. Health data to be used for wider public health research may be in many different formats 
- How well do you think issues of data interoperability are being addressed in your MS? 
- Are the principles of FAIR (findable, accessible, interoperable and re-usable) data being 
addressed in your MS through any form of legislation of other rules? 


5. Is EU level action needed to address any of the issues raised? 
- Could a code of conduct on secondary use of data for wider public health research 
purpose at EU level be helpful? 
- |s there a place for EU level infrastructure or platform to facilitate data sharing for 
planning and pharmacovigilance research? 


A Code of Conduct can hopefully provide clarity on the boundaries and conditions for the use 
of health data as well as define safeguards to apply. This could provide further possibilities to 
use health data for research purposes and provide the legal certainty needed. 


Guiding questions Page 12 | 12 16 March 2020 


